X-Force Threat Score FAQs

How does the X-Force Threat Score consider both the likelihood and impact of the threat?

The likelihood of a threat is considered by assessing organization-provided information, such as the geographical areas and industries of interest. By knowing relevant industries and geographies, Threat Intelligence Insights can:

1. Look closer into the threat landscape for activities in those industries and geographies.
2. Consider all indicators of compromise (IoCs) that are known for each industry and geography.
3. Search for data that matches those industries and geographies across IBM data assets.

The actual impact is considered in the assessment when customers connect their back-end data sources such as IBM® QRadar, Splunk, and others. When a data source is connected, Threat Intelligence Insights scans for all known indicators of the threats in the environment and updates the X-Force Threat Score.

What IBM data assets are used for the X-Force Threat Score?

The data assets that are used as part of the X-Force Threat Score include:

• My organization profile

  To the industries and locations that are of interest to organizations. Customers can modify their preferred industries and locations anytime at the platform level.

• Threat severity

  The IBM X-Force IRIS threat hunters' assessment of the severity of a threat. This assessment is an internal IBM derived score and cannot be modified externally.

• My environment

  Am I Affected scans for indicators of compromise across connected data sources such as QRadar, Splunk, and others. Customers can add or remove data sources anytime.

• Indicator risk

  The risk level for each indicator of compromise in every threat that is identified as relevant to the customer based on selected industries and geographies of interest. Threat data and risk levels are updated automatically by the broader X-Force research database and cannot be modified externally. You can think of this information as the toxicity of every indicator known for every threat.

• IBM MSS data

  The sightings data of IoCs across a large customer base of IBM customers under Managed Security Services (MSS), with specific attention on related industries and geographies. MSS data usage cannot be modified externally.

Can additional data assets be used to improve the X-Force Threat Score?

Currently, the only data assets that can be added or removed are those assets that are under the Universal Data Insights service. For more information about connectors, see Connect a data source. External threat data from third-party vendors or customer-generated data is not yet supported.

What is threat severity and why is it important to customers?

Threat severity is a score that the IBM X-Force IRIS team assigns to each threat. The score is calculated when the threat is first identified and researched, and indicates the group's initial assessment of threat severity. Threat hunters use a combination of metrics that are documented during the research phase. For example, attack currency, potential impacts, intelligence confidence, attackers, affected industries, affected regions, and more. They then use a proprietary IBM developed model to calculate the score.

How are the data assets used in the calculation of the X-Force Threat Score?

The different data assets and analytical modules are grouped in categories. The categories are used in an IBM proprietary mathematical model that determines the likelihood and actual impact of the threats. The categories have different percentile weights to the overall X-Force Threat Score and are assigned as follows:

• Threat severity (30%)
• My organization profile (25%)
• Indicator risk (10%)
• My environment (35%)

Can the categories and weights in the X-Force Threat Score be modified?

The categories are a function of the data assets or analytical modules that are used in the X-Force Threat Score. The categories can be modified only by adding or removing data sources that you want to scan. The weights are currently IBM assigned and cannot be modified.

If Universal Data Insights data sources are not connected, how does this affect the X-Force Threat Score?

If no data sources are configured, then the X-Force Threat Score indicates only the likelihood of impact of the threat. Without data sources to scan against, it cannot determine the actual impact in a customer's environment. Because of the 35% weight of the Universal Data Insights data (My environment) toward the overall score, the threat that is presented to the customer does not have a score greater than 65%.

To better determine the potential impact of a threat to a customer environment, connect all available data sources for a wider search. If the threat is sighted several times in the environment, the X-Force Threat Score can provide a more accurate assessment of the threat's relevance and impact.

How often is the X-Force Threat Score updated for each threat?

The threat score is updated near real-time for all ad hoc (or on demand "Scan now") scans. The threat score is updated once every 24 hrs via an automated process for overnight, continuous scans, for entitled users.

Can an X-Force Threat Score be requested on demand for a threat?

While scores are recalculated after all on-demand scans (see above), a score itself cannot be requested separately from a scan.

What is the default X-Force Threat Score if the customer has not configured the preferred industries and locations or has not connected any data sources?

The X-Force Threat Score is an adaptive service. If there are no organization profile settings or connected data sources, the score reflects only the Threat severity and Indicator risk. As the user adds a profile and connects data sources, the X-Force Threat Score can more accurately determine likelihood and impact of a threat.